![]() ![]() If I write a letter to the editor of the newspaper saying the same, it should not be a crime. ![]() If I go tell you your locks are really old and can be opened with a plastic fork because I noticed it while walking by, and you happen to run a store I do business with and hence have my CC# on file, that sure shouldn't be a crime. I think laws that rely upon somehow knowing the intent of the person performing an act are pretty poor laws. I could just as easily use the analogy, "looking at the windows of houses to see if they are open or unlocked is not a crime, but climbing through a window is." I'm not sure finding computer vulnerabilities is or should be a crime. Exploiting computer vulnerabilities is a crime. You don't get to do a security audit on people's front doors. It's been 2 years and they still haven't fixed it.Ī real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. I contacted several schools about the issue as well as the company they had contracted to write the software for them. I did something similar with an online service schools in my area offer which allows anyone to see the grades and personal info (SS#, home address, etc) of students in the school through a SQL injection. I finally released the info on it, and they fixed it two weeks later. I emailed them about it several times and received no reply for over six months. I found a vulnerability in Surgemail, an all-in-one mail server software for Linux, which allowed any remote user to read any mail to the root account, and to send mail as root. I've done things similar to this on a few occasions. The public releases we commonly see are sometimes necessary because without the pressure of the public eye the business won't correct the problems in it's service. At the same time, many businesses don't do anything to fix the problem if only one person tells them about it. ![]() I don't think publically announcing a vulnerability in a specific public service or facility is very responsible. If a site like yahoo (the mail aspect of it), a banking site, or paypal is broken into and exploited then it effects every single person who uses the site in a very negative way. If the hardware store gets broken into it mainly effects the owner(s) of the store, the people who work there, and not many other people. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'" As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. Of course, the owners of sites often don't see the distinction between the two. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites - as opposed to those who 'exploit' such flaws. Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |